Mountain View must be starting to worry more about applying to it’s “Don’t be evil” mantra, by releasing a new web application security testing tool that has been under development internally. SkipFish is its name, and its sure to add another tool to your developer toolbox. On the flip side, this tool will definitely also pop up on the radar of the very people its trying to stop;

Why do i care?

SkipFish is very similar to a number of tools on the market, such as HP’s WebInspect, Nikto2 and Nessus and unlike WebInspect, SkipFish has a much lower price point (free). All these tools are designed to scan web sites for vulnerabilities, so that they can be addressed before the bad guys find them.

"We feel that Skipfish will be a valuable contribution to the information security community, making security assessments significantly more accessible and easier to execute."

The tool appears to still be quite young in its development life cycle and should run on Windows, MacOSX and BSD, however no binaries have been provided.

Most web developers spend a lot of time getting things out the door and in my experience not paying close enough attention to forward thinking usage case testing such as dealing with Cross Site scripting and SQL injection vulnerabilities.

A closer look

Google’s ninja extraordinaire’s have written Skipfish from the ground up in C, making it extremely efficient while scanning your site. It has been released in code only form, so unless your willing to wait around for someone to compile it for you, you might need to get your hands dirty.

It is touted to scan through a multitude of Low, Medium and High Risks, including:

While as I stated above, Skipfish is by no means the only tool of its kind, it is great to see Google both releasing more internal code to the world, and making it easier for developers to dot their i’s and cross their t’s. Web Security is an important part of any web app developers job, so having more free tools around to make that job easier can only be a good thing.